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Summary 



Security breaches involving electronic personal data have come to light largely as 
a result of the California Security Breach Notification Act, a California law that went 
into effect in 2003. In response to frequently occurring breaches of personal data, many 
states passed laws that would require companies to notify persons affected by such 
security breaches. By December 2006, 34 states had enacted data security laws. 
Numerous data breach notice and data security bills were considered in the 109 lh 
Congress, but not passed. This report provides a brief discussion of federal and state 
data breach notice and data security laws. 



The security of personal information and risks to data are paramount concerns 
addressed in federal and state law, legislation, and regulations. The public disclosure of 
breaches of customer databases in 2005 heightened interest in the business and regulation 
of data brokers. 1 Data brokers collect personal information from public and private 
records and sell this information to public and private sector entities for many purposes, 
from marketing to law enforcement and homeland security purposes. 2 Recent data 
security breaches illustrate ( 1 ) the risks associated with collecting and disseminating large 
amounts of electronic personal information, (2) the increased visibility of data security 
breaches as a result of consumer notice requirements, and (3) the potential risk of harm 
or injury to consumers from identity theft crimes (e.g., credit card fraud, check fraud, 
mortgage fraud, health-care fraud, and the evasion of law enforcement). One result of the 
highly publicized breaches of personal data security has been a new focus on establishing 



1 “In particular, two types of businesses exist in this industry: (1) ‘individual reference services 
providers’ (IRSPs), which sell ‘profiles’ and other reports containing confidential personal 
information about individuals; and (2) ‘marketing list brokers,’ which sell lists of names, mailing 
addresses or electronic mail addresses of individuals, grouped by characteristics, conditions, 
circumstances, traits, preferences or mode of living.” Federal Trade Commission, Individual 
Reference Sendees: A Federal Trade Commission Report to Congress (Dec. 17, 1997), available 
at [http://www .ftc.gov/os/ 1 997/1 2/irs.pdf] . 

2 CRS Report RS22137, Data Brokers: Background and Industry Overview. 
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security standards for safeguarding customer information 3 and imposing security breach 
notification obligations on entities that own, possess, or license sensitive personal 
information. 

Although no single federal law governs data brokers, other statutes and regulations 
may be applicable. A review of the laws regulating the use and disclosure of information 
collected by information brokers appears in CRS Report RL33005, Information Brokers: 
Federal and State Laws , by Angie A. Welborn. In the late 1990s, the Federal Trade 
Commission (FTC) endorsed self-regulation for the information broker industry as an 
alternative to comprehensive federal privacy regulation. 4 The FTC also endorsed industry 
adherence to a set of principles promulgated by the Individual References Service Group 
(IRSG) to address most of the concerns associated with the increased availability of 
nonpublic information. 5 Some of the largest information brokers that disclosed data 
security breaches in 2004 and 2005, such as Axicom and Choicepoint, had signed on to 
the IRSG principles for the protection of nonpublic information. 

Federal Data Security Standards. Certain sectors are currently subject to legal 
obligations to protect sensitive personal information. These obligations were created, in 
large part, through the enactment of federal privacy legislation in the financial services, 
health-care, government, and Internet sectors. Federal regulations that support federal 
privacy laws impose obligations on covered entities, requiring them to implement 
information security programs that protect personal information. 6 

The Department of Veterans Affairs Information Security Act of 2006 requires the 
Veterans Administration (VA) to implement agency-wide information security 
procedures, including limiting access to sensitive information. 7 The law also requires the 
VA to include data security requirements in all contracts with private-sector service 
providers. 

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires 
the Secretary of Health and Human Services to issue a rule to implement security 



3 Consumer data broker ChoicePoint, Inc., which in 2005 acknowledged that the personal 
financial records of more than 1 63 ,000 consumers in its database had been compromised, recently 
agreed to pay $10 million in civil penalties and $5 million in consumer redress to settle Federal 
Trade Commission charges that its security and record-handling procedures violated consumers’ 
privacy rights and federal laws. The settlement requires ChoicePoint to implement new 
procedures to ensure that it provides consumer reports only to legitimate businesses for lawful 
puiposes, to establish and maintain a comprehensive information security program, and to obtain 
audits by an independent third-party security professional until 2026. U.S. v. ChoicePoint Inc. 
(D. Ct. for the Northern District of Georgia, Atlanta Division), FTC File No. 052-3069 (Jan. 26, 
2006), available at [http://www.ftc.gov/opa/2006/01/choicepoint.htm]. 

4 CRS Report RL30322, Online Privacy Protection: Issues and Developments, by Gina Stevens. 

5 Individual Reference Services Industry Principles (Dec. 15, 1997), available at 
[http://www.ftc.gov/os/ 1 997/1 2/irsappd.pdf] . 

6 Thomas J. Smedinghoff, The New Law of Information Security: What Companies Need To Do 
Now, 22 The Computer & Internet Lawyer 9 (Nov. 2005). 

7 P.L. No. 109-461 (Dec. 22, 2006). 
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standards for health information. 8 The HIPAA Security Standards Rule, which went into 
effect in April 2005, requires health-care-covered entities to maintain administrative, 
technical, and physical safeguards to ensure the confidentiality, integrity, and availability 
of electronic -protected health information; to protect against any reasonably anticipated 
threats or hazards to the security or integrity of such information; and to protect against 
any unauthorized uses or disclosures of such information. 9 The Children’ s Online Privacy 
Protection Act of 1998 (COPPA) requires an owner or operator of a website or online 
service directed to children, or any operator that collects or maintains personal 
information from a child, to establish and maintain reasonable procedures to protect the 
confidentiality, security, and integrity of personal information collected from children. 10 
The FTC’s Safeguards Rule, issued to implement provisions of the Gramm-Leach-Bliley 
Act of 1999 (GLBA), requires financial institutions to have an information security plan 
that contains administrative, technical, and physical safeguards to protect the security, 
confidentiality, and integrity of personal consumer information. 11 Interagency guidance 
issued by the federal banking regulators to implement provisions of the 
Gramm-Leach-Bliley Act of 1999 requires covered entities to implement information 
security programs to ensure the security and confidentiality of customer information, 
protect against anticipated threats or hazards to the security or integrity of such 
information, and protect against unauthorized access to or use of such information that 
could result in substantial harm or inconvenience to any customer. 12 The Federal 
Information Security Management Act of 2002 requires federal government agencies to 
provide information security protections for agency information and information systems 
to provide integrity, confidentiality, and availability. 13 

Under the Federal Trade Commission Act, the Commission is empowered, among 
other things, to prevent unfair methods of competition and unfair or deceptive acts or 
practices in or affecting commerce. 14 Using its authority under Section 5, which prohibits 
unfair or deceptive practices, the Commission has brought a number of cases to enforce 
the promises in privacy statements, including promises about the security of consumers’ 



8 P.L. 104-191, tit. II, subtitle f, § 262, 110 Stat. 2025, 42 U.S.C. §§ 1320d et seq.\ see CRS 
Report RS21505, Compliance with the HIPAA Medical Privacy Rule , by Gina Marie Stevens. 

9 HIPAA Security Standards for the Protection of Electronic Personal Health Information, 45 
C.F.R. Part 164 (Feb. 20, 2003); see CRS Report RL30620, Health Information Standards, 
Privacy, and Security: HIPAA’ s Administrative Simplification Regulations , by C. Stephen 
Redhead. 

10 15 U.S.C. § 6501 et seq., 16 C.F.R. Part 312; see CRS Report RL31408, Internet Privacy: 
Overview and Pending Legislation, by Marcia S. Smith. 

11 Standards for Insuring the Security, Confidentiality, Integrity and Protection of Customer 
Records and Information, 16 C.F.R. Part 314. 

12 Interagency Guidelines Establishing Standards for Safeguarding Customer Information, 12 
C.F.R. Part 30, Appendix B (OCC), 12 C.F.R. Part 208, Appendix D (Federal Reserve System), 

12 C.F.R. Part 364, Appendix B (FDIC), and 12 C.F.R. Part 568 (Office of Thrift Supervision); 
see CRS Report RS20185, Privacy Protection for Customer Financial Information, by M. 
Maureen Murphy. 

13 44 U.S.C. § 3541 et seq.\ see CRS Report RL32357, Computer Security: A Summary of 
Selected Federal Laws, Executive Orders, and Presidential Directives, by John Moteff. 

15 U.S.C. §§41-58. 



14 
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personal information. In BJ’s Wholesale Case , the FTC developed and imposed security 
procedures pursuant to its jurisdiction over unfair and deceptive trade practices. 15 The 
settlement requires BJ’s to establish and maintain a comprehensive information security 
program that includes administrative, technical, and physical safeguards. The settlement 
also requires BJ’s to obtain an audit from a qualified, independent third-party professional 
that its security program meets the standards of the order and to comply with standard 
bookkeeping and record-keeping provisions. 

Federal Data Breach Notification Standards. The imposition of security 
breach notification obligations on entities that own, possess, or license sensitive personal 
information is a relatively new phenomenon. As discussed below, California was the first 
jurisdiction to enact a data breach notification law in 2002. Subsequently, numerous 
federal and state bills emerged to impose notification requirements on entities that collect 
sensitive personal information. 

Both the Response Program Guidelines issued in March 2005 by the federal banking 
regulators to interpret the requirements of the GLB A 16 and the Security Guidelines require 
implementation of a response program to address unauthorized access to or use of 
customer information maintained by a financial institution or its service provider that 
could result in substantial harm or inconvenience to any customer, and require disclosure 
of a data security breach if the covered entity concludes that “misuse of its information 
about a customer has occurred or is reasonably possible.” 17 Pursuant to the guidance, 
substantial harm or inconvenience is most likely to result from improper access to 
“sensitive customer information.” 18 At a minimum, an institution’s response program 
should contain procedures for (1) assessing the nature and scope of an incident and 
identifying what customer information systems and types of customer information have 
been accessed or misused; (2) notifying its primary federal regulator when the institution 
becomes aware of an incident involving unauthorized access to or use of sensitive 
customer information; (3) consistent with the Agencies’ Suspicious Activity Report 



15 hi the Matter of BJ’s Wholesale Club, Inc., File No. 042 3160 (Sep. 23, 2005), available at 
[http://www.ftc.gov/os/caselist/0423160/0423160.htm]; see also note 3, infra. 

16 Section 501(b) required the Agencies to establish standards for financial institutions relating 
to administrative, technical, and physical safeguards to (1) ensure the security and confidentiality 
of customer information, (2) protect against any anticipated threats or hazards to the security or 
integrity of such information, and (3) protect against unauthorized access to or use of such 
information that could result in substantial harm or inconvenience to any customer. 15 U.S.C. 
6801. 

17 Interagency Guidance on Response Programs for Unauthorized Access to Customer 
Information and Customer Notice, Part III of Supplement A to Appendix, at 12 C.F.R. Part 30 
(OCC), 12 C.F.R. Part 208 (Federal Reserve System), 12 C.F.R. Part 364 (FDIC), and 12 C.F.R. 
Part 568 (Office of Thrift Supervision), 70 Fed. Reg. 15736 - 15754 (March 29, 2005). 

18 “Sensitive customer information means a customer’s name, address, or telephone number, in 
conjunction with the customer’s social security number, driver’s license number, account 
number, credit or debit card number, or a personal identification number or password that would 
permit access to the customer’s account. Sensitive customer information also includes any 
combination of components of customer information that would allow someone to log onto or 
access the customer’s account, such as user name and password or password and account 
number.” ID Fed. Reg. 15736-15754 (Mar. 29, 2005). 
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(“SAR”) regulations, notifying appropriate law enforcement authorities; (4) taking 
appropriate steps to contain and control the incident to prevent further unauthorized 
access to or use of customer information (e .g. , by monitoring, freezing, or closing affected 
accounts and preserving records and other evidence); and (5) notifying customers when 
warranted. Customer notice may be delayed for a law enforcement criminal investigation. 

The Department of Veterans Affairs Information Security Act of 2006 requires the 
VA to issue interim regulations providing for notice to veterans in case of breach of their 
personal data. 19 The law was enacted to respond to the breach of the personal data of 26.5 
million veterans. 20 The VA is required to notify law enforcement and certain 
congressional committees when a data breach occurs. If unauthorized access to sensitive 
personal information occurs, the VA must perform a risk analysis. If this reveals a 
“reasonable risk” for misuses of the information, the VA is required to notify those 
affected and provide free credit monitoring services. 

State Data Breach Notification Laws. The first data security law was enacted 
in California in 2002. S.B. 1386, the California Security Breach Notification Act, 21 
requires entities to notify customers of security breaches involving their personal 
information. California requires a state agency, or any person or business that owns or 
licenses computerized data that includes personal information, to disclose any security 
breach of data to any resident of the state whose unencrypted personal information was, 
or is reasonably believed to have been, acquired by an unauthorized person. A “breach of 
the security of the system” is defined by the California law as the “unauthorized 
acquisition of computerized data that compromises the security, confidentiality, or 
integrity of personal information maintained by the person or business.” Personal 
information is defined as the first name or initial and last name of an individual, with one 
or more of the following: Social Security Number, driver’s license number, credit card 
or debit card number, or a financial account number with information such as PIN 
numbers, passwords, or authorization codes that could gain access to the account. 
California provides three exemptions to the notification requirement: for personal 
information in encrypted form; for criminal investigations by law enforcement; and for 
breaches that are either immaterial or not “reasonably likely to subject the customers to 
unauthorized disclosure of personal information.” California requires notice be given in 
the “most expedient time possible and without unreasonable delay,” either in writing or 
by e-mail. If a company can show that the cost of notification will exceed $250,000, that 
more than 500,000 people are affected, or that an individual’s contact information is 
unknown, notice may be given through media outlets. 

Since enactment of the California breach notification law, major data security 
breaches have been disclosed by several of the nation’s largest information brokerage 
firms, retailers, universities, and federal and state government agencies. 22 The security 



19 P.L. No. 109-461 (Dec. 22, 2006). 

20 See CRS Report RL33612, Department of Veterans Affairs: Information Security and 
Information Technology Management Reorganization, by Sidath Viranga Panangala. 

21 Cal. Civ. Code § 1798.82. 

22 See generally CRS Report RL33199, Personal Data Security Breaches: Context and Incident 

(continued...) 
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breaches disclosed in 2005 tended to involve either the creation of fraudulent accounts, 
stolen laptops or computers, hacking, compromised passwords, insider or employee theft, 
or lost or misplaced discs or back-up tapes. In response to numerous disclosures of 
security breaches and public concern, and in the absence of a comprehensive federal data 
security or data breach notification law, many states have enacted laws requiring 
consumer notice of security breaches of personal data. The majority of states have 
introduced or passed bills that would require companies to notify persons affected by 
security breaches and, in some cases, to implement information security programs to 
protect the security, confidentiality, and integrity of data. 23 

As of December 2006, 34 states had enacted data security laws. 24 The two 
predominant themes are consumer notification requirements in the event of a data breach 
and consumer redress. A chart highlighting differences in selected major provisions of 
the state data breach notification laws was compiled by BNA. 25 Most of the statutes cover 
private entities and government agencies. The states also impose obligations on service 
providers to notify the owner or licensor of the data of a breach that occurs. Many of the 
state laws follow the basic framework of the California breach notification law. The 
majority of state laws apply to electronic or computerized data only. Notice provisions 
addressed by the states include description of triggering events, consideration of the level 
of harm or the risk of misuse that triggers notification, recipients of notification, timing 
of notice, method of notification, and content of notice. In addition, state laws include 
exemptions for entities that are regulated under federal privacy laws (e.g., the 
Gramm- Leach-Bliley Act, the Health Insurance Portability and Accountability Act, or the 
Interagency Guidelines); expanded definitions of “personal information”; notification 
requirements to consumer reporting agencies for customers affected by security breaches 
of personal information; civil penalties for failure to promptly notify customers of a 
security breach; requirements for the implementation of information security programs; 
creation of a private right of action to recover actual damages from businesses for failure 
to notify customers of a security breach in a timely manner; providing consumers the right 
to place a credit freeze on their credit report; restrictions on the sale and use of social 
security numbers; and enhanced criminal penalties for identity fraud. 



22 (...continued) 

Summaries, by Rita Tehan (Table 1 summarizes selected data security breaches since 2000). 

23 Thomas J. Smedinghoff, Security Breach Notification — Adapting to the Regulatory 
Framework, 21 The Review of Banking & Financial Services 1 15-124 (Dec. 2005). 

24 Alabama, Alaska, Arizona, California, Colorado, Delaware, Georgia, Hawaii, Idaho, Illinois, 
Indiana, Iowa, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Minnesota, 
Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolina, Oklahoma, 
Pennsylvania, Rhode Island, Tennessee, Utah, Vermont, Virginia, West Virginia, and Wisconsin. 
2006 Breach of Information Legislation, National Conference of State Legislatures at 
[http://www.ncsl.org/programs/lis/CIP/priv/breach06 .htm] ; see also 50 State Surveys: Financial 
Sendees Security Breach Legislation (West 2005); “New Data Security Laws Take Effect in 
Several States,” 75 U.S. Law Week 2388 (Jan. 9, 2007). 

25 “State Breach Notice Laws Have Similarities, But Significant Differences Require Attention,” 
89 BNA Analysis & Perspective 176 (Aug. 12, 2005) (hypertext “Links to Text of State Data 
Security Breach Consumer Notification Laws” chart included on p. 180). 




